<?php
$mysql = new mysqli("localhost", "root", "123456", "game");
mysqli_set_charset($mysql, 'UTF8');//插入的内容为UTF8
if ($mysql->connect_error) {
    die('连接失败：' . $mysql->connect_error);
}
//模拟sql注入

//原本用户时正常输入内容的
//$sql= "select * from user where name='用户名'";

//此时用户名sql注入
$key = "zhi ' or '1'='1'--'";
function demo1() {//未使用预处理，容易被sql注入
    global $mysql, $key;
    $sql = "select * from user where name='$key'";
    $mysqli_result = $mysql->query($sql);
    $arr = $mysqli_result->fetch_all();//获取结果
    echo json_encode($arr, JSON_THROW_ON_ERROR);
}

//使用预处理语句防止sql注入

//预处理sql语句
function demo2() {
    global $mysql, $key;
    $stmt = $mysql->prepare("select * from user where name=?");//绑定参数
    $stmt->bind_param("s", $key);
    $stmt->execute();//执行语句
    //获取结果
    $all = $stmt->get_result()->fetch_all(1);
    print_r($all);
}